4.6.8: problems with DNS set to Automatic

(Edit: this problem appears even after a factory reset, however I am leaving intact my initial 2 posts from before I tried a reset.)

It seems on 4.6.8 on Slate AX with a Wireguard VPN (in client mode, meaning all Internet-bound traffic is sent via VPN) and Tailscale running, that if I have Encrypted DNS enabled (DoT, Cloudflare), and change the DNS mode back to Automatic, the DNS server on the Slate AX does not properly restart, even after multiple reboots!

Observed behavior: I'm sending it queries with nslookup on a Linux host, and it no longer responds to queries after set to Automatic mode, even after rebooted. Also other hosts in the Slate AX's network cannot resolve hostnames unless they have their own DNS resolver.

After reboot, etc, VPN is up and working normally, and hosts with their own resolver (such as my personal laptop) work fine, but hosts dependent on Slate AX for name resolution can't do it. So it seems I'm not imagining things and the DNS server really is dead.

There is some interesting stuff in the logs just looking at dnsmasq, note how at one point a DHCP server fires up for 192.168.8.x when the router is configured with LAN network as 17x.2x.1xx.x ... either way, DNS queries are not being properly served to hosts in 17x.2x.1xx.x. And yet, dnsmasq appears to be responding to DHCP requests, so it's not completely dead.

Wed Oct 30 21:55:50 2024 user.notice dnsmasq: DNS rebinding protection is active, will discard upstream RFC1918 responses!
Wed Oct 30 21:55:50 2024 user.notice dnsmasq: Allowing 127.0.0.0/8 responses
Wed Oct 30 21:55:51 2024 daemon.info dnsmasq[2357]: Connected to system UBus
Wed Oct 30 21:55:51 2024 daemon.info dnsmasq[2357]: started, version 2.85 cachesize 1
Wed Oct 30 21:55:51 2024 daemon.info dnsmasq[2357]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
Wed Oct 30 21:55:51 2024 daemon.info dnsmasq[2357]: UBus support enabled: connected to system bus
Wed Oct 30 21:55:51 2024 daemon.info dnsmasq[2357]: using only locally-known addresses for domain test
Wed Oct 30 21:55:51 2024 daemon.info dnsmasq[2357]: using only locally-known addresses for domain onion
Wed Oct 30 21:55:51 2024 daemon.info dnsmasq[2357]: using only locally-known addresses for domain localhost
Wed Oct 30 21:55:51 2024 daemon.info dnsmasq[2357]: using only locally-known addresses for domain local
Wed Oct 30 21:55:51 2024 daemon.info dnsmasq[2357]: using only locally-known addresses for domain invalid
Wed Oct 30 21:55:51 2024 daemon.info dnsmasq[2357]: using only locally-known addresses for domain bind
Wed Oct 30 21:55:51 2024 daemon.info dnsmasq[2357]: using only locally-known addresses for domain lan
Wed Oct 30 21:55:51 2024 daemon.info dnsmasq[2357]: using nameserver 100.100.100.100#53 for domain ts.net
Wed Oct 30 21:55:51 2024 daemon.warn dnsmasq[2357]: no servers found in /tmp/resolv.conf.d/resolv.conf.auto, will retry
Wed Oct 30 21:55:51 2024 daemon.info dnsmasq[2357]: read /etc/hosts - 4 addresses
Wed Oct 30 21:55:51 2024 daemon.info dnsmasq[2357]: read /tmp/hosts/dhcp.cfg01411c - 2 addresses

...

Wed Oct 30 21:55:54 2024 daemon.info dnsmasq[2357]: reading /tmp/resolv.conf.d/resolv.conf.auto
Wed Oct 30 21:55:54 2024 daemon.info dnsmasq[2357]: using only locally-known addresses for domain test
Wed Oct 30 21:55:54 2024 daemon.info dnsmasq[2357]: using only locally-known addresses for domain onion
Wed Oct 30 21:55:54 2024 daemon.info dnsmasq[2357]: using only locally-known addresses for domain localhost
Wed Oct 30 21:55:54 2024 daemon.info dnsmasq[2357]: using only locally-known addresses for domain local
Wed Oct 30 21:55:54 2024 daemon.info dnsmasq[2357]: using only locally-known addresses for domain invalid
Wed Oct 30 21:55:54 2024 daemon.info dnsmasq[2357]: using only locally-known addresses for domain bind
Wed Oct 30 21:55:54 2024 daemon.info dnsmasq[2357]: using only locally-known addresses for domain lan
Wed Oct 30 21:55:54 2024 daemon.info dnsmasq[2357]: using nameserver 100.100.100.100#53 for domain ts.net
Wed Oct 30 21:55:54 2024 daemon.info dnsmasq[2357]: using nameserver [wan upstream router IP]#53

...

Wed Oct 30 21:55:55 2024 user.notice firewall: Reloading firewall due to ifup of loopback (lo)
Wed Oct 30 21:55:55 2024 daemon.info dnsmasq[2357]: exiting on receipt of SIGTERM
Wed Oct 30 21:55:55 2024 daemon.info dnsmasq[4243]: Connected to system UBus
Wed Oct 30 21:55:55 2024 daemon.info dnsmasq[4243]: started, version 2.85 cachesize 1
Wed Oct 30 21:55:55 2024 daemon.info dnsmasq[4243]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
Wed Oct 30 21:55:55 2024 daemon.info dnsmasq[4243]: UBus support enabled: connected to system bus
Wed Oct 30 21:55:55 2024 daemon.info dnsmasq-dhcp[4243]: DHCP, IP range 17x.2x.1xx.100 -- 17x.2x.1xx.249, lease time 12h
Wed Oct 30 21:55:55 2024 daemon.info dnsmasq[4243]: using only locally-known addresses for domain test
Wed Oct 30 21:55:55 2024 daemon.info dnsmasq[4243]: using only locally-known addresses for domain onion
Wed Oct 30 21:55:55 2024 daemon.info dnsmasq[4243]: using only locally-known addresses for domain localhost
Wed Oct 30 21:55:55 2024 daemon.info dnsmasq[4243]: using only locally-known addresses for domain local
Wed Oct 30 21:55:55 2024 daemon.info dnsmasq[4243]: using only locally-known addresses for domain invalid
Wed Oct 30 21:55:55 2024 daemon.info dnsmasq[4243]: using only locally-known addresses for domain bind
Wed Oct 30 21:55:55 2024 daemon.info dnsmasq[4243]: using only locally-known addresses for domain lan
Wed Oct 30 21:55:55 2024 daemon.info dnsmasq[4243]: using nameserver 100.100.100.100#53 for domain ts.net
Wed Oct 30 21:55:55 2024 daemon.info dnsmasq[4243]: reading /tmp/resolv.conf.d/resolv.conf.auto
Wed Oct 30 21:55:55 2024 daemon.info dnsmasq[4243]: using only locally-known addresses for domain test
Wed Oct 30 21:55:55 2024 daemon.info dnsmasq[4243]: using only locally-known addresses for domain onion
Wed Oct 30 21:55:55 2024 daemon.info dnsmasq[4243]: using only locally-known addresses for domain localhost
Wed Oct 30 21:55:55 2024 daemon.info dnsmasq[4243]: using only locally-known addresses for domain local
Wed Oct 30 21:55:55 2024 daemon.info dnsmasq[4243]: using only locally-known addresses for domain invalid
Wed Oct 30 21:55:55 2024 daemon.info dnsmasq[4243]: using only locally-known addresses for domain bind
Wed Oct 30 21:55:55 2024 daemon.info dnsmasq[4243]: using only locally-known addresses for domain lan
Wed Oct 30 21:55:55 2024 daemon.info dnsmasq[4243]: using nameserver 100.100.100.100#53 for domain ts.net
Wed Oct 30 21:55:55 2024 daemon.info dnsmasq[4243]: using nameserver [wan upstream router IP]#53
Wed Oct 30 21:55:55 2024 daemon.info dnsmasq[4243]: read /etc/hosts - 4 addresses
Wed Oct 30 21:55:55 2024 daemon.info dnsmasq[4243]: read /tmp/hosts/dhcp.cfg01411c - 3 addresses
Wed Oct 30 21:55:55 2024 daemon.info dnsmasq-dhcp[4243]: read /etc/ethers - 0 addresses

...

Wed Oct 30 21:56:02 2024 user.notice firewall: Reloading firewall due to ifup of wgclient (wgclient)
Wed Oct 30 21:56:03 2024 daemon.info dnsmasq[5254]: Connected to system UBus
Wed Oct 30 21:56:03 2024 daemon.info dnsmasq[5256]: started, version 2.85 cache disabled
Wed Oct 30 21:56:03 2024 daemon.info dnsmasq[5256]: DNS service limited to local subnets
Wed Oct 30 21:56:03 2024 daemon.info dnsmasq[5256]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
Wed Oct 30 21:56:03 2024 daemon.info dnsmasq[5256]: UBus support enabled: connected to system bus
Wed Oct 30 21:56:03 2024 daemon.info dnsmasq-dhcp[5256]: DHCP, IP range 192.168.8.100 -- 192.168.8.249, lease time 12h
Wed Oct 30 21:56:03 2024 daemon.info dnsmasq[5256]: using only locally-known addresses for domain test
Wed Oct 30 21:56:03 2024 daemon.info dnsmasq[5256]: using only locally-known addresses for domain onion
Wed Oct 30 21:56:03 2024 daemon.info dnsmasq[5256]: using only locally-known addresses for domain localhost
Wed Oct 30 21:56:03 2024 daemon.info dnsmasq[5256]: using only locally-known addresses for domain local
Wed Oct 30 21:56:03 2024 daemon.info dnsmasq[5256]: using only locally-known addresses for domain invalid
Wed Oct 30 21:56:03 2024 daemon.info dnsmasq[5256]: using only locally-known addresses for domain bind
Wed Oct 30 21:56:03 2024 daemon.info dnsmasq[5256]: using only locally-known addresses for domain lan
Wed Oct 30 21:56:03 2024 daemon.info dnsmasq[5256]: using nameserver 100.100.100.100#53 for domain ts.net
Wed Oct 30 21:56:03 2024 daemon.info dnsmasq[5256]: using nameserver 10.1xx.2x.1#53
Wed Oct 30 21:56:03 2024 daemon.info dnsmasq[5256]: read /etc/hosts - 4 addresses
Wed Oct 30 21:56:03 2024 daemon.info dnsmasq[5256]: read /tmp/hosts/dhcp.cfg01411c - 3 addresses
Wed Oct 30 21:56:03 2024 daemon.info dnsmasq-dhcp[5256]: read /etc/ethers - 0 addresses

...

Wed Oct 30 21:56:47 2024 daemon.info dnsmasq-dhcp[4243]: DHCPREQUEST(br-lan) 17x.2x.1xx.248 xx:xx:xx:xx:xx:e0
Wed Oct 30 21:56:47 2024 daemon.info dnsmasq-dhcp[4243]: DHCPACK(br-lan) 17x.2x.1xx.248 xx:xx:xx:xx:xx:e0 mylaptop

Settings of interest

  • DNS Rebinding Attack Protection: on

  • Override DNS Settings of All Clients: off

  • Allow Custom DNS to Override VPN DNS: on

  • Block Non-VPN Traffic: on

  • 5GHz wifi is on a DFS channel if it matters

Observations

When querying with nslookup, queries to the router time out in most cases (i.e. are not 'refused' or respond with some other failure - rather, the router is not responding to queries at all).

  1. Restarting the VPN: does not restore name resolution

  2. Turning off Allow Custom DNS to Override VPN DNS: does not restore name resolution

  3. Turning off Allow Custom DNS to Override VPN DNS and also rebooting: does not restore name resolution

  4. Turning off DNS Rebinding Attack Protection: does not restore name resolution

  5. Switching back to Encrypted DNS / DoT / Cloudflare: immediately restores name resolution

  6. Switching to Manual DNS and specifying the upstream router: nslookup starts seeing 'Refused' instead of timeouts ... goes back to timeouts upon switching back to Automatic.

  7. Switching to Manual DNS and selecting a preset provider: immediately restores name resolution

1 Like

I've now factory reset Slate AX on 4.6.8, and the problems are worse than stated above.

With my setup (all traffic thru Wireguard), DNS set to Automatic does not appear to work at all - all queries time out.

This should definitely be addressed before 4.6.8 ships.

This problem also occurs on Beryl AX running 4.6.8.

Hi,

I have tested and try to reproduce in my Slate AX and Beryl AX, and they were worked.

  1. Enable WireGuard Client, Killswitch: on
  2. DNS Rebinding Attack Protection, Allow Custom DNS to Override VPN DNS, Block Non-VPN Traffic: on
  3. DNS default is Automatic -> nslookup ok.
  4. DNS swap to DoT with Cloudflare -> nslookup test ok.
  5. DNS swap back to Automatic -> nslookup test ok.

Step5 result:

I try to ask the R&D to check.

1 Like

If i have my dns on default setting, then enable wireguard vpn and after i enable adguardhome.

Then when i disconnect vpn and connect again the vpn won't get a resolved ip from the domain name and vpn fails, it only fixed it when i disabled adguardhome.

all other settings were untouched.

^ observed on the mt3000 4.7.0 version.

The issue is AGH. :frowning:

Guess something is wrong with the order how DNS resolving works.

1 Like

Likely although i didn't read op about AGH, but i managed to replicate something familiar with this exact order.

Thank you for checking into this! I factory reset my Slate AX thinking it might solve the issue, but I still experienced the problem. But, in the next few days I'll reset it again and try to exactly record anything I alter in the settings, and what the outcome is.

In my case I'm not running AdGuard Home, so I'm not sure what is going on with my setup.

I wonder if the dns mode has to do with it, that is what i noticed when adguard was enabled, it likely altered the state it was in before (manual dns).

Deff for me it looked like it tried to resolve endpoint domain inside the tunnel which isn't connected.

Was this problem fixed in 4.6.9 that was just released to stable? I had DNS issues as well on 4.6.8 to where my VPN DNS servers weren't being used but instead AdGuard Home servers. Upon updating to 4.6.9 on my Beryl AX, it appears it may be fixed now.